From 9c923687746294293473c25f2821253a9f18b469 Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Tue, 18 Jun 2019 14:58:19 +0200 Subject: [PATCH] SSL Context: Explicitly load ECC ciphers on el7 Otherwise curl/nss as client won't be able to use the new default cipher list. fixes #7247 --- lib/base/tlsutility.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index a3edc8758..3bde27a7a 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -73,6 +73,9 @@ static void SetupSslContext(SSL_CTX *sslContext, const String& pubkey, const Str SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)"Icinga 2", 8); + // Explicitly load ECC ciphers, required on el7 - https://github.com/Icinga/icinga2/issues/7247 + SSL_CTX_set_ecdh_auto(sslContext, 1); + if (!pubkey.IsEmpty()) { if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) { Log(LogCritical, "SSL")